When working with Azure, authenticating service principals securely is essential. While client secrets are commonly used, certificates offer a more secure option. In this guide, we will walk through how to create and use a self-signed certificate to authenticate a service principal in Azure.
Step 1: Switching to the Admin Account
Before beginning, ensure you’re logged in with the appropriate admin credentials:
Disconnect-AzAccount
Connect-AzAccount
This ensures you’re operating as a global admin in Entra ID.
Step 2: Creating a Self-Signed Certificate
Next, instead of using a client secret, we’ll create a self-signed certificate. In PowerShell, use the `New-SelfSignedCertificate` command to generate it:
$cert = New-SelfSignedCertificate -DnsName AzureVMManagement -CertStoreLocation cert:\CurrentUser\My
This command creates a certificate named `AzureVMManagement` and stores it in the user’s certificate store.
Step 3: Exporting the Private Key
To link the certificate to the Azure application, you need to export the private key:
$secPassword = ConvertTo-SecureString -String "P@ss0word!" -Force -AsPlainText
Export-PfxCertificate -Cert $cert -FilePath C:\VMManagementAppPrivateKey.pfx -Password $secPassword
Here, the private key is protected with a password and exported to a `.pfx` file.
Step 4: Importing the Certificate
Now that the certificate is exported, it needs to be imported back as a base-64 encoded binary array for Azure:
$PfxCertificate = Get-PfxCertificate -FilePath C:\VMManagementAppPrivateKey.pfx -Password $secPassword
$keyValue = [System.Convert]::ToBase64String($PfxCertificate.GetRawCertData())
This converts the certificate data into a format suitable for Azure’s requirements.
Step 5: Adding the Certificate to the Application
Find your application by name and add the certificate:
$app = Get-AzADApplication -DisplayName VMManagement
New-AzADAppCredential -ApplicationId $app.AppId -CertValue $keyValue -StartDate $PfxCertificate.NotBefore -EndDate $PfxCertificate.NotAfter
This command attaches the base-64 certificate to the Azure application with valid start and end dates.
Step 6: Removing Old Certificates
If there are old certificates on the application, clean them up:
$oldCerts = (Get-AzADApplication -DisplayName VMManagement).KeyCredentials | sort enddatetime | select -SkipLast 1
$oldCerts | foreach { remove-AzADAppCredential -ApplicationId $app.AppId -KeyId $_.KeyId }
This removes all but the latest certificate, ensuring only the active one remains.
Step 7: Authenticating with the New Certificate
Finally, test authentication using the newly created certificate:
Connect-AzAccount -ServicePrincipal -CertificateThumbprint $PfxCertificate.Thumbprint -ApplicationId $app.AppId -TenantId (Get-AzContext).Tenant.TenantId
If everything is set up correctly, this will allow you to authenticate to Azure using the service principal and the new certificate.
Step 8: Testing Permissions
Test if the service principal’s permissions are intact:
Get-AzVM
You should be able to manage VMs. For further testing, try a disallowed action:
Get-AzADApplication
This should be blocked if the permissions are correctly set.
Step 9: Removing the Certificate
To see what happens if the certificate is removed:
$cert | Remove-Item
Connect-AzAccount -ServicePrincipal -CertificateThumbprint $PfxCertificate.Thumbprint -ApplicationId $app.AppId -TenantId (Get-AzContext).Tenant.TenantId
Without the certificate, the authentication will fail, as Azure requires the certificate to establish trust.
Always ensure certificates are stored safely to prevent any authentication issues.
